just another infosec blog

Defacement by XSS

Cross Site Scripting (XSS) is an interesting concept. Long story told short, it’a a technique where you manage to inject code into a website or service that ends up being executed. Most typically we’re talking about Javascript – but other types also applies. Anyhow – today I’ll be demonstrating a simple web site defacement using Javascript.

Now – for this to work we need to find way to lure this bit of code onto the target. All input data that origins from user land must be sanitized and cautions must be made when displaying that data back to the user. Not all developers take care of such things and we’ll try to exploit this. On any given site track down input fields and try to enter some HTML tags (or the following Javascript – which will blow your cover for sure)

<script>alert("hello");</script>

See if you can spot if the rendered HTML shows your alterations – or a popup box if you chose that route. If it does then you have spotted an XSS vulnerable site. If you are really lucky your changes will be written to database – thus making it persistent. If not – well, you can always find usages for a temporary XSS attack.

One of my all time favorite site feature is the ‘last published content’ section. Especially if the site is publicly open and users can post whatever they want. One of my standard tricks is to inject the following code whenever I find text input fields:

<script>window.location.href="http://www.example.org";</script>

When a browser displays the HTML sent from the server the browser will happily execute this oneliner Javascript. Any visitor to this page will be redirected to “http://www.example.org&#8221;. Redirect to a page stating “you’ve been hacked” and call it the day.

This was fairly brief and easy to do – and it really fascinates me. It’s really easy to fake being an elite hacker – we face them every day. Most of them are teenagers trying to impress – some are people curious about the limitations of the product(s) we produce. This is just one of the reasons I advocate secure coding as a principle.